SquirrelMail plugins compromised
[Posted July 31, 2009 by corbet]
| From: |
| Jon Angliss <jon-AT-squirrelmail.org> |
| To: |
| squirrelmail-announce-AT-lists.sourceforge.net |
| Subject: |
| [SM-ANNOUNCE] SECURITY: SquirrelMail Web Server Status, and Plugins Update |
| Date: |
| Thu, 30 Jul 2009 23:42:28 -0500 |
| Cc: |
| squirrelmail-plugins-AT-lists.sourceforge.net,
squirrelmail-users-AT-lists.sourceforge.net,
squirrelmail-admins-AT-lists.sourceforge.net,
squirrelmail-devel-AT-lists.sourceforge.net |
All,
We apologies for the extended downtime for the SquirrelMail plugins
repository, and some of the SquirrelMail site documentation.
Unfortunately due to conflicting time schedules, and some
miss-communications amongst the team (mostly my fault), the server
was unavailable for an extended length of time.
Server Status
-------------
This evening, after an extended downtime, we finally rolled to using
the new server. XS4All.nl were gracious in loaning us an additional
server whilst we migrated our data, to the new server. All
documentation should now be online again, and active. If you notice
any issues with the site, please feel free to email me directly,
I'll get onto it as soon as I can.
Plugins Compromise
------------------
During the initial announcement, we'd mentioned that we did not
believe that any of the plugins had been compromised. Further
investigation has shown that the following plugins were indeed
compromised:
- sasql-3.2.0
- multilogin-2.4-1.2.9
- change_pass-3.0-1.4.0
Parts of these code changes attempts to send mail to an offsite
server containing passwords. We cannot establish a timeline of when
these plugins were compromised. If you are a user of these plugins,
it is strongly recommended you download a fresh copy from the
plugins repository. MD5s for the good versions are below:
a492922e5b0d2245d4e9bc255a7c5755 sasql-3.2.0.tar.gz
b143f2dc82f9e98dd43c632855255075 multilogin-2.4-1.2.9.tar.gz
2cff7c5d4f6f5d8455683bb5d96bb9fe change_pass-3.0-1.4.0.tar.gz
Plugins Availability
--------------------
As of now, the plugins are available to download again. I
personally apologies for the extended outage of this, as I know some
of you have been eager to get these back up and running again. Once
again, if you notice any issues with the site, feel free to email.
--
Jon Angliss
<jon@squirrelmail.org>
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
